FAQ: AirWatch Tunnel

What is the AirWatch Tunnel?

The AirWatch Tunnel provides a safe method for your organization to allow both internal and public applications to access corporate resources that reside in your secure internal network. It contains two major components:

  • AirWatch Tunnel application available in the public app store
  • AirWatch Tunnel server which gets deployed in your network 


What is Per-App VPN?

Per-App VPN is functionality that lets certain iOS applications access internal resources on an app-by-app basis. This means that some apps can be enabled to access internal resources while others are left unable to communicate with your backend systems.


What devices are supported?

iOS 8+  as well as Android 4.4+.


How is data secured in transit?

The communication is secured using Transport Layer Security (TLS) protocol and Secure Sockets Layer (SSL) protocol.


Is this a replacement for traditional VPNs?

This provides more granular control than traditional VPNs by allowing the IT admin to determine which apps can access the internal resources.


How is this different from the typical app tunneling used by the MAG?

The traditional app tunneling used by the legacy is for securing traffic for internal managed apps using apps that are either integrated with the AirWatch SDK or  wrapped with the AirWatch app wrapping engine for accessing internal sites. The AirWatch Tunnel can secure traffic for public as well as internal apps, provided they are managed and pushed from the AirWatch Admin Console. No SDK or wrapping solution is required to use AirWatch Tunnel. Your application, right out of the box will be supported with AirWatch Tunnel.


How is the end-user affected by this application and functionality?

This is transparent to the end-user as the most common use case will be the AirWatch administrator pushing down the Tunnel app from the AirWatch Admin Console. Any application that is flagged to use the Per-App VPN will automatically connect through the Tunnel without prompting the user for any sort of information.


What else do I need to configure in the AirWatch Admin Console to make this functionality work?

The following needs to be configured in order to use AirWatch Tunnel:

  • In the AirWatch Admin Console, configure AirWatch Tunnel under System/Enterprise Integration/AirWatch Tunnel
  • Create an AirWatch Tunnel VPN profile for the platform you with to use
  • The application that you would like to give per app vpn access using AirWatch Tunnel needs to be a managed application and needs to be associated to the AirWatch Tunnel profile under application management in the AirWatch Admin console
  • On premise installation of the AirWatch Tunnel server to which the devices connect


What ports need to be open for Per-App VPN?

They are configurable, but they must not be in use by another process.


Will this allow Safari or Chrome to tunnel through the AirWatch Tunnel to hit internal sites?

You can add Safari and Chrome domains to the profile to access internal sites directly through this application.


Does this support split tunneling?

For Safari, yes. Applications flagged for Per-App VPN will send all traffic though the VPN.


Does AirWatch Tunnel support UDP traffic?

No, UDP is not supported today. 

Have more questions? Submit a request


Article is closed for comments.